[arch-general] Any way to decrypt hashes set by ssh HashKnownHosts?

Thomas Bächler thomas at archlinux.org
Wed May 21 12:05:59 EDT 2008


eliott schrieb:
> Just because you can't see it doesn't mean it doesn't exist.
> unhashed known_hosts *is* more unsecure.
> 
> If someone gets access to your account, they would get
> a) your key
> b) a list of hosts that the key is valid for
> 
> hey! great!
> 
> Compund this with the fact that many people use keys without a
> passphrase (a bad practice), someone can 'harvest' known_host data,
> and worm out to other hosts.. here is the kicker ... in a way that is
> easily automated.

The point is, without any notice, we provided a different configuration 
file than the upstream configuration file. That's not how we do it, we 
always provide the upstream configuration file.

If someone thinks that having unhased known_hosts is a security problem, 
then he/she can change this configuration option on his/her system, that 
is how Arch works. But now that hashed known_hosts silently became the 
default, I cannot revert back.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://archlinux.org/pipermail/arch-general/attachments/20080521/f13cb117/attachment.pgp>


More information about the arch-general mailing list